1. Field of the Invention
The present invention relates computer security and intrusion detection systems. More specifically, the present invention relates to a method and an apparatus for automatically generating a valid behavior specification for use in an intrusion detection system.
2. Related Art
After more than a decade of research, intrusion detection has been widely adopted as a retrofit solution to the increasingly important problem of computer security. Many commercial intrusion detection systems (IDSs) have been developed and pushed onto the market. Some of these IDSs can reliably detect penetrations that employ known attack methods, which account for the majority of the attack incidents. Nevertheless, attackers are getting more advanced and sophisticated. Attackers increasingly make use of automated scripts to attack systems from different locations in a short period of time. In addition, they attempt to escape IDS detection by using new attack methods (e.g., exploiting a new vulnerability) that are not modeled by the signature database of an IDS. Real-time detection of previously unseen attacks with high accuracy and a low false alarm rate remains a challenge.
Current intrusion detection approaches—anomaly detection, misuse detection, and specification-based detection—have different strengths with regards to detecting unknown attacks. Anomaly detection, which identifies intrusive activities based on deviations from a normal behavior profile, is able to detect unknown attacks because the normal profile is independent of the system vulnerability. Many different techniques have been employed to establish normal behavior profiles from historical behavior. The major difficulty remains to detect intrusions accurately and minimize the false alarm rate. Also, most techniques identify a procedure for detecting attacks without explaining why the detected incident is an attack, what went wrong, or how to fix the problem.
Misuse detection, though widely employed to detect known attacks, also has the potential to detect unknown attacks. This capability arises from the fact that generic signatures/rules can be written to detect classes of attacks that have similar manifestations (e.g., buffer-overflow attacks). In principle, one might be able to hypothesize attacks based on models of attacks and vulnerabilities and develop generic signatures to detect the attacks. However, little research has been done on how to write generic signatures and there is no systematic methodology for developing generic signatures.
Specification-based techniques, which detect deviations of executing programs from valid behavior, have shown early promise for detecting previously unseen attacks. Specification-based detection approaches the problem from a human-reasoning perspective, trying to develop “formally” what is valid based on the functionality of the program, its usage, and the system security policy. The premise is that penetrations often cause privileged programs to behave differently from their intended behavior, which, for most programs, is fairly regular and can be concisely specified. It can achieve a very low false alarm rate and can explain why the deviation is an intrusion. Nevertheless, specifications presently have to be written by system and security experts for every security-critical program in a system. This is a very time-consuming and expensive process.
What is needed is a method and an apparatus for automating the process of generating a valid behavior specification for use in detecting previously unseen attacks through intrusion detection system.